Avatar of webshock
webshock asked on

Unable to load profile - Access Denied

The server is a Microsoft Server 2003 Standard.
I added a user to the remote users group but when a user tries to log onto it through Terminal Services, they get "unable to load profile Access Denied"

If i make the user an administrator they can load the profile.

Can anyone help me fix the issue? Where do I start troubleshooting?
OS SecurityMicrosoft Server OSWindows Server 2003

Avatar of undefined
Last Comment
Henrik Johansson

8/22/2022 - Mon
plug1

Can they log into the domain locally, not via terminal services? If they cant then the problem lies with thier roaming profile, you need to reset the permissions on thier profile folder and give them full control over it.  
Henrik Johansson

Check the permissions on the C:\Documents and settings
Users shall have read/execute and system shall have full control.

Check the permissions on C:\Documents and settings\%username% exists, and grant the user full control to his folder. Even if the folder itself looks ok, force the permissions to apply on subfolders and files by using advanced->"replace permissions on all child objects...".

If the error only occurs first time the user logs on, also grant the users read-access to c:\documents and settings\default user and its subfolders and files.

ASKER
webshock

Thanks for the replies :)

Neither of these fixes worked.


Something else that I tried, I made a new user and added them to the remote users group and gave full permissions to the folder and I still got the same error.

So basically any new user made gives this error. Anything else I can try?
Your help has saved me hundreds of hours of internet surfing.
fblack61
plug1

OK they are in the remote users group, what other groups are these users in on the domain? I take it they are domain users?
Henrik Johansson

The users nead to be member of remote desktop users to be able to logon through terminal service.

You did check the permissions on the c:\documents and settings-structure on the terminal server?

Is the profile roaming and located on a file server? What is the permissions on the file server (NTFS AND share)?
ASKER
webshock

Ok, I have enclosed some screenshots so you can see the exact error and the test account properties.

This error occurs with every new remote user we create. The weird thing is that other users with the same memberships are able to log in not being part of the administrator group.
error.jpg
properties.jpg
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
plug1

Fair play they seem to be in the right groups anyway. In the ADUC what are thier roaming profiles set to and also what are thier ts profiles set to? could you post more pics like the ones above?
ASKER
webshock

sure ill post more screens, please tell me exactly what you want to see. I am very new to this and appreciate the help.
Henrik Johansson

Tab Profile and "Terminal Services profile"
What errors (including source/eventid) do you get in the eventlog on the terminal server?
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
ASKER
webshock

Henjoh09: Heres the log
event.jpg
plug1

OK the log gives us nothing new, we just need the users properties now with the tabs mentioned, profile and terminal services profile.
Henrik Johansson

Do you only get 1500-errors, or do you get other errors?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
webshock

Henjoh09:
When i fail to log in thats the only log that comes up for the event. There are some other errors in the log but i'm not sure if they are related.

One thing I noticed was that the profiles tab was missing the locations to the home folder under connect to as well as the path. The folders below illustrate the changes i made to the test account.

When I went into the profiles tab i did see that profiles were stored on a seperate server that also houses the exchange server.
Profile path pointed to \\<Servername>\Profile\<UserName>
Home folder was also pointed to the same place, it had a Z map as well under the connect option.

I created a folder on this seperate server and gave full access to the test account in the security tab, I also created the folder under the same name as the login, since thats the same structure for the account that works. SYSTEM also had full access.

With doing all that, I still get the error. Also included is a  new error i got when i tied in the home folder info under the profile tab.
cache.jpg
profile.jpg
plug1

Have you shared the folder, what are the share permissions, default are read only. Check them straight away mate.
Henrik Johansson

The 1525 error should not be related to the access denied, but shall be corrected. Separate the home and profile and place them on different shares.

Home folder = enable offline caching on share

Profile share shall, as stated in the eventlog message, NOT have caching enabled. Best practice for roaming profiles is to let the system create the user's folder on the server by itself to grant the user the correct permissions.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
Henrik Johansson

For the 1500, see http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows%20Operating%20System&ProdVer=5.2&EvtID=1500&EvtSrc=Userenv&LCID=1033 about possibly causes for the error.

Also see http://support.microsoft.com/kb/837115 about a tool called UPHClean

As it's a terminal server, you should configure the following policy settings:
Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Set Path for TS Roaming Profiles
Computer Configuration\Administrative Templates\System\User Profiles\Delete cached copies of roaming profiles

ASKER
webshock

plug1:
The folder that houses the individual folders is shared.
so my testuser sits in a profiles folder, the profiles folder is shared. Since its shared, i dont need to share the individual folders inside of it do i?
Henrik Johansson

No, you only nead to share the parent folder
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
webshock

henjoh, Where can i make these changes you suggested? Can you tell me how to get to these settings?

As it's a terminal server, you should configure the following policy settings:
Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Set Path for TS Roaming Profiles
Computer Configuration\Administrative Templates\System\User Profiles\Delete cached copies of roaming profiles
ASKER CERTIFIED SOLUTION
Henrik Johansson

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question